Ignore:
Timestamp:
Dec 6, 2015, 5:54:43 PM (9 years ago)
Author:
[email protected]
Message:

REGRESSION(r193584): Causes heap use-after-free crashes in Web Inspector tests with AddressSanitizer (Requested by ddkilzer on #webkit).
https://bugs.webkit.org/show_bug.cgi?id=151929

Reverted changeset:

"[ES6] "super" and "this" should be lexically bound inside an
arrow function and should live in a JSLexicalEnvironment"
https://bugs.webkit.org/show_bug.cgi?id=149338
http://trac.webkit.org/changeset/193584

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp

    r193584 r193606  
    839839        case NewFunction:
    840840        case NewArrowFunction: {
     841            bool isArrowFunction = node->op() == NewArrowFunction;
    841842            if (node->castOperand<FunctionExecutable*>()->singletonFunction()->isStillValid()) {
    842843                m_heap.escape(node->child1().node());
     
    844845            }
    845846           
    846             target = &m_heap.newAllocation(node, Allocation::Kind::Function);
     847            target = &m_heap.newAllocation(node, isArrowFunction ? Allocation::Kind::NewArrowFunction : Allocation::Kind::Function);
    847848            writes.add(FunctionExecutablePLoc, LazyNode(node->cellOperand()));
    848849            writes.add(FunctionActivationPLoc, LazyNode(node->child1().node()));
     850            if (isArrowFunction)
     851                writes.add(ArrowFunctionBoundThisPLoc, LazyNode(node->child2().node()));
    849852            break;
    850853        }
     
    10161019            break;
    10171020
     1021        case LoadArrowFunctionThis:
     1022            target = m_heap.onlyLocalAllocation(node->child1().node());
     1023            if (target && target->isArrowFunctionAllocation())
     1024                exactRead = ArrowFunctionBoundThisPLoc;
     1025            else
     1026                m_heap.escape(node->child1().node());
     1027            break;
     1028       
    10181029        case GetScope:
    10191030            target = m_heap.onlyLocalAllocation(node->child1().node());
     
    20352046        case NewFunction:
    20362047        case NewArrowFunction: {
     2048            bool isArrowFunction = node->op() == NewArrowFunction;
    20372049            Vector<PromotedHeapLocation> locations = m_locationsForAllocation.get(escapee);
    2038             ASSERT(locations.size() == 2);
     2050            ASSERT(locations.size() == (isArrowFunction ? 3 : 2));
    20392051               
    20402052            PromotedHeapLocation executable(FunctionExecutablePLoc, allocation.identifier());
     
    20452057
    20462058            node->child1() = Edge(resolve(block, activation), KnownCellUse);
     2059           
     2060            if (isArrowFunction) {
     2061                PromotedHeapLocation boundThis(ArrowFunctionBoundThisPLoc, allocation.identifier());
     2062                ASSERT(locations.contains(boundThis));
     2063                node->child2() = Edge(resolve(block, boundThis), CellUse);
     2064            }
     2065           
    20472066            break;
    20482067        }
Note: See TracChangeset for help on using the changeset viewer.